Evilnum PyVil RAT


Saturday, September 5th, 2020 |

Over the past few weeks researchers have been monitoring new activity of the Evilnum group. Evilnum first appeared in 2018, targeting different financial technology companies across the UK and Europe using spear-phishing attacks to gain initial access, by having users click malicious email attachments, which would then download and install the malicious tools.

Recently Evilnum has made changes to their chain of infect, persistence, and the use of new tools.
By utilizing the knowledge of “Know Your Customer” procedures that many business use to verify customers, Evilnum has changed their tactics to increase the likelihood of tricking unsuspecting users in clicking the malicious documents.

The attack starts with phishing email containing an ZIP file with a malicious LNK file inside. The LNK file resembles a PDF file, and when opened a JavaScript file is written to disk and executed, and the LNK file is replaced with a real PDF. The PDF contains several images such as utility bills, credit card photos, and drivers license photos.

Evilnum’s motives are purely financial, with previous attacks focusing on customer information, credit card data, and other financial data.


Sources:

Share this: